SOLVED

Pricing Calculator for Microsoft Sentinel

Occasional Contributor

Hi everyone, I am using the Pricing Calculator for Microsoft Sentinel.

I can see the pricing split into two parts - Azure Monitor and Microsoft Sentinel.

In my understanding, Microsoft Sentinel will process the log stored in the Log Analytics Workspace. The Cost is based on the log size in the Log Analytics Workspace. It may not relate to the Azure Monitor part. The Pricing Calculator will charge the Azure Monitor part because Azure Monitor and Microsoft Sentinel share the same Log Analytics Workspace?

Basically, I am not using Azure Monitor.  Any method to reduce the cost of the Azure Monitor part?

CyrilChu_0-1654489246005.png

 

8 Replies
best response confirmed by CyrilChu (Occasional Contributor)
Solution

Hello @CyrilChu,

 

The pricing is split into two parts - Azure Monitor and Microsoft Sentinel because:

Azure Monitor is considered to be the "Ingestion" part (GB of logs that are ingested into Log Analytics Workspace) and Microsoft Sentinel is the SIEM system itself that operates logs, queries, workbooks, connectors etc.

Hello @mikhailf,

Can I simply understand it as Azure Monitor = Log Analytics Workspace (log data storage)?

@CyrilChu 

 

I understand it like this: Azure Monitor = Log Analytics Workspace (log data ingestion).
Not storage. For Storage, Microsoft has another part in its calculator :)

@mikhailf

Thanks a lot, I have one more question.
If I use Microsoft lighthouse to share the resource group (Microsoft Sentinel and Log Analytics Workspace) with another tenant, will it charge two Sentinel costs?
As far as I know, if you have 2 subscriptions and 2 Sentinels and use LightHouse to connect one Sentinel to another, you will still have to pay for both of them.
Because these are two separate Sentinels.
For example, you are a SOC company and have a customer who has Sentinel. And you want to connect your customer's Sentinel to your to see and manage data in your own system. The customer will have to pay for his Sentinel.
@mikhailf,
I am not sure it have 2 Sentinels, the current situation is Customer Company use belows link to share his Resource group (Include Log Analytics Workspace and Already add Microsoft Sentinel to the workspace) to SOC Company.
https://github.com/Azure/Azure-Lighthouse-samples
As far as I know, we need to add Microsoft Sentinel to a workspace after you create a Log Analytics Workspace. SOC Company itself did not add Microsoft Sentinel to any workspaces before. SOC Company can connect to customer's Sentinel via lighthouse directly. We don't need to add Microsoft Sentinel to customer's workspace.
For this situation, it still count as two separate Sentinels?
If the SOC company doesn't have Sentinel installed, so you won't have to pay for it.
You can use both scenarios.
1. You have LAW + Sentinel and SOC connects to your Sentinel via Lighthouse (so you pay only for 1 Sentinel on your side)
2. You have LAW + Sentinel and SOC has its LAW + Sentinel that is fully integrated with your Sentinel. In that way, the SOC can see logs from your Sentinel in their own one (they can create rules, workbooks, etc.)
@mikhailf,
May I know the Sentinel is which component of Azure? a resource under the resource group?
I cannot find the Sentinel in the resource group or application. Since the lighthouse connection uses a resource group base. How can I make sure that I am using the customer's Sentinel instead of SOC Sentinel?